Barracuda Logs in Wazuh
Anderson Cabrera
Hello everyone,
I'm currently working on integrating Barracuda logs into Wazuh, but I'm facing an issue where alerts for inbound/pass|^scan|^outbound/smtp events are not being triggered. Here are some examples of the logs I'm receiving:
Logs in /var/ossec/logs/archives/archives.json
Inbound Log
{"timestamp":"2024-11-18T02:31:02.643+0000","agent":{"id":"000","name":"1-wazuh"},"manager":{"name":"1-wazuh"},"id":"1731897062.1752952","full_log":" inbound/pass1: outbound-ip61b.ess.barracuda.com[192.168.1.10] 1731897060-1717ba5d04124d30001-T8iiHl 1731897061 1731897062 SCAN ENC inv...@domain.com us...@company.com - 2 34 .domain.com SZ:5291 SUBJ:Invoice Notification - (37608342130896595168)","decoder":{},"location":"192.168.1.1"}
{"timestamp":"2024-11-18T02:31:17.410+0000","agent":{"id":"000","name":"1-wazuh"},"manager":{"name":"1-wazuh"},"id":"1731897077.1758527","full_log":" inbound/pass1: outbound-ip122a.ess.barracuda.com[192.168.1.11] 1731897075-1717ba5d04124d40001-Ma5gIz 1731897076 1731897077 SCAN ENC pay...@domain.com us...@company.com - 2 34 .domain.com SZ:5291 SUBJ:Payment Reminder - (23813344959434386870)","decoder":{},"location":"192.168.1.1"}
Scan Log
{"timestamp":"2024-11-18T02:31:20.283+0000","agent":{"id":"000","name":"1-wazuh"},"manager":{"name":"1-wazuh"},"id":"1731897080.1758527","full_log":" scan: outbound-ip99a.ess.barracuda.com[192.0.2.1] 1731896655-1717ba5d03124b80001-fakeID 1731896656 1731896659 SCAN ENC fake...@domain.com fake...@company.com 1.305 0 0 - SZ:373607 SUBJ:Important Update Regarding Your Account - (12345678901234567890)","decoder":{},"location":"192.168.1.1"}
Outbound/SMTP
{"timestamp":"2024-11-18T03:10:01.409+0000","agent":{"id":"000","name":"1-wazuh"},"manager":{"name":"1-wazuh"},"id":"1731899401.2192974","full_log":" outbound/smtp: 127.0.0.1 1731899398-1717ba5d03125830001-TsLtm0 0 0 SEND ENC 1 2D11A12004D 250 2.6.0 <6a3998a6-e2bd-4a5a...@indeedemail.com> [InternalId=72653666779189, Hostname=SPSRVCORREO1.company.com.] 15992 bytes in 0.104, 149.416 KB/sec Queued mail for delivery #to#10.10.10.17[10.10.10.17]:15","decoder":{},"location":" 192.168.1.1"}
Maybe I need to make new decoders and rules, appreciate help
Bony V John
The alerts for Barracuda will appear on the dashboard for inbound/pass|^scan|^outbound/smtp events, provided that decoders and rules are configured for these logs. I’ve created a sample decoder and rule based on the logs you shared in your email. Please test the decoder and rule to ensure they work for your use case. You can also refer to the Wazuh Decoder and Rules Documentation to write additional rules and decoders as needed.
Sample Logs
Decoder
<decoder name="barracuda">
<prematch>^\S+:</prematch>
</decoder>
<decoder name="barracuda-child">
<parent>barracuda</parent>
<regex>^(\S+):</regex>
<order>eventtype</order>
</decoder>
<decoder name="barracuda-child">
<parent>barracuda</parent>
<regex>^\S+:\s(\.*)[|Hostname=(\.*)]</regex>
<order>Hostname</order>
</decoder>
<decoder name="barracuda-child">
<parent>barracuda</parent>
<regex>(\d+.\d+.\d+.\d+)</regex>
<order>ip</order>
</decoder>
Rules
<group name="network-traffic">
<rule id="100002" level="3">
<decoded_as>barracuda</decoded_as>
<field name="eventtype">inbound/pass1|outbound/smtp</field>
<description>$(eventtype) traffic detected by barracuda.</description>
</rule>
<rule id="100003" level="3">
<decoded_as>barracuda</decoded_as>
<field name="eventtype">scan</field>
<description>$(eventtype) operation done by barracuda.</description>
</rule>
</group>
I hope this helps! Please let me know if you have any further questions or need additional assistance.
Anderson Cabrera
Hi Bony,
Thank you for your help. I’ve added the decoders and rules, and tested them, but the alerts aren’t showing up on my dashboard. I’m not sure what the issue could be. Could you help me check what might be going wrong
# tcpdump -i any port 514 -AA | grep barracuda
tcpdump: data link type LINUX_SLL2tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
.#Vm...<<23> inbound/pass1: outbound-ip61b.ess.barracuda.com[209.222.82.238] 1732042601-1717ba5d0417d610001-OWfI0F 1732042602 1732042603 SCAN ENC test...@vps-abc123.vps.ovh.net eus...@argos.com - 2 34 .vps.ovh.net SZ:5292 SUBJ:Your invoice has been issued (PENDING) - (6194889761825374853735)
.#\....1<23> inbound/pass1: outbound-ip137a.ess.barracuda.com[209.222.82.7] 1732042607-1717ba5d0417d620001-p2ALk3 1732042608 1732042609 SCAN ENC bil...@vps-xyz789.vps.ovh.net jo...@argos.com - 2 34 .vps.ovh.net SZ:5324 SUBJ:Your invoice has been issued (PENDING) - (19/11/2024 )
.#{`..F.<23> inbound/pass1: outbound-ip107b.ess.barracuda.com[209.222.82.251] 1732042639-1717ba5d0417d640001-zqvIGL 1732042640 1732042641 SCAN ENC - sup...@argos.com - 7 11 - SZ:63862 SUBJ:=?UTF-8?B?RW50cmVnYWRvOiBSVjogU2l0dWFjacOzbiBTZcOxb3IgUGVkcm8gU2FsaW5hcyBaYW1vcmEg?=
.#....}]<23> scan: outbound-ip91a.ess.barracuda.com[209.222.82.244] 1732042652-1717ba5d0317d650001-n1V4cW 1732042653 1732042656 SCAN ENC in...@argos.com ja...@hotmail.com 1.315 0 0 - SZ:428875 SUBJ:Protect your property from pigeons and seagulls naturally
.#......<23> inbound/pass1: outbound-ip121a.ess.barracuda.com[209.222.82.130] 1732042731-1717ba5d0317d6a0001-6OVzRw 1732042731 1732042733 SCAN ENC fin...@vps-f97acdd5.vps.ovh.net mar...@gmail.com - 2 34 .vps.ovh.net SZ:5274 SUBJ:Your invoice has been issued (PENDING) - REF:(mar...@gmail.com)
{"timestamp":"2024-11-19T15:13:45.324+0000","agent":{"id":"000","name":"vm-wazuh"},"manager":{"name":"vm-wazuh"},"id":"1732029225.18722734","full_log":" scan: outbound-ip122a.ess.barracuda.com[200.212.81.131] 1732029222-1717ba5d03178790001-pdtpHZ 1732029222 1732029225 SCAN ENC jane....@sampledomain.com jd...@newdomain.com - 7 15 - SZ:938841 SUBJ:Sample Subject","decoder":{},"location":"192.168.1.2"}
{"timestamp":"2024-11-19T15:13:55.492+0000","agent":{"id":"000","name":"vm-wazuh"},"manager":{"name":"vm-wazuh"},"id":"1732029235.18724778","full_log":" scan: outbound-ip167a.ess.barracuda.com[200.212.82.15] 1732029232-1717ba5d041787a0001-vmIYJR 1732029233 1732029235 SCAN ENC new.c...@gmail.com someo...@anotherdomain.com - 7 15 - SZ:565801 SUBJ:Re: REQUEST FOR QUOTATION PA 24-02631","decoder":{},"location":"192.168.1.3"}
{"timestamp":"2024-11-19T15:13:58.435+0000","agent":{"id":"000","name":"vm-wazuh"},"manager":{"name":"vm-wazuh"},"id":"1732029238.18724778","full_log":" scan: outbound-ip76a.ess.barracuda.com[200.212.82.240] 1732029234-1717ba5d031787a0001-CZamuu 1732029234 1732029238 SCAN ENC newsl...@samplemail.com us...@newdomain.com 0.012 0 0 - SZ:10963 SUBJ:=?windows-1252?Q?=A1HASTA_60%_DSCTO._EN_LIBROS-_Celebramos_l=","decoder":{},"location":"192.168.1.4"}
{"timestamp":"2024-11-19T15:13:59.120+0000","agent":{"id":"000","name":"vm-wazuh"},"manager":{"name":"vm-wazuh"},"id":"1732029239.18724778","full_log":" scan: outbound-ip106a.ess.barracuda.com[200.212.82.208] 1732029236-1717ba5d031787b0001-CjT6k8 1732029237 1732029239 SCAN ENC bounce...@mailer.test.com examp...@newdomain.com 2.501 0 0 - SZ:15762 SUBJ:=?UTF-8?B?UHJlcMOhcmF0ZSBwYXJhIGVsIGJyaW5kaXMgY29uIGRlc2N1ZW50?==?UTF-8?B?b3MgZXhjbHVzaXZvcyBlbiBEZXN0aW5vcyBhbCBTYWJvcvCfpYI=?=","decoder":{},"location":"192.168.1.5"}
Appreciate help
Anderson Cabrera
Hi Bony,
Thank you for your help. I’ve added the decoders and rules, and tested them, but the alerts aren’t showing up on my dashboard. I’m not sure what the issue could be. Could you help me check what might be going wrong
Bony V John
Apologies for the inconvenience caused. While reviewing the sample logs you recently shared, I noticed a space at the beginning of each log, specifically between "full_log":" and outbound/smtp. For example:
<decoder name="barracuda">
<prematch>^\.+:</prematch>
</decoder>
<decoder name="barracuda-child">
<parent>barracuda</parent>
<order>eventtype</order>
</decoder>
<decoder name="barracuda-child">
<parent>barracuda</parent>
<order>Hostname</order>
</decoder>
<decoder name="barracuda-child">
<parent>barracuda</parent>
<regex>(\d+.\d+.\d+.\d+)</regex>
<order>ip</order>
</decoder>
After saving the updated decoder, restart the Wazuh manager using the following command:
systemctl restart wazuh-manager
Note:- For the rules, ensure that rule IDs 100003 and 100002 are not being used by any other rules. If these rule IDs are already assigned, update the rule IDs to any unique value between 100000 and 119999.
After changing the rule IDs, save the rules and restart the Wazuh manager again.
To test the decoder, use the following steps:
1. Go to the Wazuh Manager CLI.
2. Run the command:
/var/ossec/bin/wazuh-logtest
3. Paste the sample log and check if the rule triggers correctly.
If this does not resolve the issue, please share the Filebeat logs for further investigation. Run the following command on the Wazuh Manager to capture any errors or warnings:
cat /var/log/filebeat/filebeat | grep -iE "error|warn|crit|fatal"
I hope this helps! Please let me know if it resolves your issue or if further assistance is needed.